socket buffer operation error when using TCP/TLS

[paride]

While setting up a turns: server I noticed that I could not connect to it using Google's webrtc library [1].

2721: IPv4. tcp or tls connected to: 1.2.3.4:47716
2721: session 000000000000000002: TLS/TCP socket disconnected: 1.2.3.4:47716
2721: session 000000000000000002: closed (2nd stage), user <> realm origin <>, local 192.168.43.70:8443, remote 1.2.3.4:47716, reason: TLS/TCP socket buffer operation error (callback)

In order to guess what the problem is I tried to connect to coturn via https using Chromium, but the browser gave me this error: ERR_SSL_PROTOCOL_ERROR , while coturn logged the same error as before. After trying a few things I noticed that I could connect to the server using Firefox, curl, or other tools, but not with Chromium. If I don't use TLS everything works fine both with Chromium and with the webrtc library.

I really don't know what could be wrong. The only thing I can think of if that both Chromium and the webrtc library use Google's BoringSSL library instead of OpenSSL, so the culprit may lie there,

This issue is easy to reproduce, for example this is a coturn server working fine with curl

$ curl https://turn1.whispersystems.org
<!DOCTYPE html>
<html>
  <head>
    <title>TURN Server (https admin connection)</title>
 <style> table, th, td { border: 1px solid black; border-collapse: collapse; text-align: left; padding: 5px;} table#msg th { color: red; background-color: white; } </style> </head>
  <body>
    <b>TURN Server</b><br><i>https admin connection</i><br>
<br>To use the HTTPS admin connection, you have to set the database table <b><i>admin_user</i></b> with the admin user accounts.<br>
</body>
</html>

the same is true with Firefox, while Chromium gives ERR_SSL_PROTOCOL_ERROR. I'm not the only one experiencing this issue [2] [3].

I'm running coturn 4.5.0.5 from Debian Stretch.

[1] https://chromium.googlesource.com/external/webrtc
[2] https://groups.google.com/forum/#!topic/turn-server-project-rfc5766-turn-server/CxrWCQjDGKc
[3] https://groups.google.com/forum/#!topic/turn-server-project-rfc5766-turn-server/-jFdNKSdebE

[mom040267]

As far as i understand boring ssl is not 100% compatible with open ssl. If there is a protocol difference then you have to use separate turn servers for chromium and for other users - the first one linked with boring ssl, the second linked with open ssl. That sounds silly, i understand. Somebody has to debug what is wrong in the negotiations.

…

Sent from my iPhone

On Mar 20, 2017, at 3:06 PM, Paride Legovini ***@***.***> wrote: While setting up a turns: server I noticed that I could not connect to it using Google's webrtc library [1]. 2721: IPv4. tcp or tls connected to: 1.2.3.4:47716 2721: session 000000000000000002: TLS/TCP socket disconnected: 1.2.3.4:47716 2721: session 000000000000000002: closed (2nd stage), user <> realm origin <>, local 192.168.43.70:8443, remote 1.2.3.4:47716, reason: TLS/TCP socket buffer operation error (callback) In order to guess what the problem is I tried to connect to coturn via https using Chromium, but the browser gave me this error: ERR_SSL_PROTOCOL_ERROR , while coturn logged the same error as before. After trying a few things I noticed that I could connect to the server using Firefox, curl, or other tools, but not with Chromium. If I don't use TLS everything works fine both with Chromium and with the webrtc library. I really don't know what could be wrong. The only thing I can think of if that both Chromium and the webrtc library use Google's BoringSSL library instead of OpenSSL, so the culprit may lie there, This issue is easy to reproduce, for example this is a coturn server working fine with curl $ curl https://turn1.whispersystems.org <!DOCTYPE html> <html> <head> <title>TURN Server (https admin connection)</title> <style> table, th, td { border: 1px solid black; border-collapse: collapse; text-align: left; padding: 5px;} table#msg th { color: red; background-color: white; } </style> </head> <body> <b>TURN Server</b><br><i>https admin connection</i><br> <br>To use the HTTPS admin connection, you have to set the database table <b><i>admin_user</i></b> with the admin user accounts.<br> </body> </html> the same is true with Firefox, while Chromium gives ERR_SSL_PROTOCOL_ERROR. I'm not the only one experiencing this issue [2] [3]. I'm running coturn 4.5.0.5 from Debian Stretch. [1] https://chromium.googlesource.com/external/webrtc [2] https://groups.google.com/forum/#!topic/turn-server-project-rfc5766-turn-server/CxrWCQjDGKc [3] https://groups.google.com/forum/#!topic/turn-server-project-rfc5766-turn-server/-jFdNKSdebE — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[paride]

Wait, it is not supposed to be like this, otherwise Google products would be unusable. BoringSSL is just another library implementing TLS, it's derived from OpenSSL and it's not breaking the standard.

[davidben]

This is caused by a typo in the ALPN callback. ta_len here should be ha_len. As a result, you're not actually spelling "http/1.1" in your ALPN callback correctly. Newer Chromes notice this and fail the connection. Previously, we would silently treat anything we didn't recognize as HTTP/1.1.

coturn/src/apps/relay/mainrelay.c

Line 2459 in 516e534

*outlen = ta_len;

[vol4iniche]

I see the same issue in the 4.5.0.6 version

[MichaIng]

I ran into the same issue on 4.5.0.5 (version before the fix was applied). Upgraded to 4.5.0.7 and issue was gone.

Just checked code on 4.5.0.6 and the fix already seems to be applied there:

coturn/src/apps/relay/mainrelay.c

Line 2459 in 6aa8b76

*outlen = ha_len;

• Also fits to release date > date of fix.

So if @vol4iniche you still face the issue, then there seems to be something else wrong. ERR_SSL_PROTOCOL_ERROR of course can have many reasons. Check if the coturn log file contains the same error messages as well.

[jonathanmmm]

Where is this file? Tried to find it, I have debian 8 and only 4.5.0.5-1+deb9u1 version is installed.

Would like to change this on my own.

[MichaIng]

@jonathanmmm
This is a source file, so you cannot fix this on an installed coTURN.

4.5.0.5-1+deb9u1

So you are on Debian 9 Stretch, aren't you?
From there you can install coTURN 4.5.1 from backports: https://packages.debian.org/stretch-backports/coturn

[jonathanmmm]

Can you help what I have to enter in the sources list, please? :)
I dont want to Update All Things automatically to backports (if this could Happen?)

And do I need, for Turn and stun to properly Work, to be able to come to the Admin Page? I Just use Static Secret with nextcloud talk